{ "type": "Domain", "indicator": "globalsystemperu.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/globalsystemperu.com", "alexa": "http://www.alexa.com/siteinfo/globalsystemperu.com", "indicator": "globalsystemperu.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3290258518, "indicator": "globalsystemperu.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "66828af454bc977c19ec8c74", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.", "modified": "2024-07-31T10:01:19.789000", "created": "2024-07-01T10:54:44.861000", "tags": [ "redline", "cluster bomb", "smokeloader", "mass distribution", "eastern european", "amadey", "risepro", "stealers", "mystic stealer" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "Unfurling Hemlock", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Mystic Stealer", "display_name": "Mystic Stealer", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Amadey - S1025", "display_name": "Amadey - S1025", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 389, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 14, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386871, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6682c9d5b27be45b5123bbf3", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-31T15:00:10.053000", "created": "2024-07-01T15:23:01.017000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "malware", "steam", "exploit", "Unfurling Hemlock", "RAT" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign" ], "public": 1, "adversary": "Unfurling Hemlock", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sride0842", "id": "285173", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f98d02409e5a41744695c", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-29T05:02:51.005000", "created": "2024-06-29T05:17:04.044000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "URL": 16, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebfe39da5263274c6a226", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:31.415000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebfe5a80d4d68b51a24cd", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:33.067000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebff3381ff80ad4943964", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:47.467000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667e9696a8ed216d59a6cbd5", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T10:02:22.981000", "created": "2024-06-28T10:55:18.173000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "URL": 16, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "674 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6552b9cc797497438d020cdc", "name": "ACTIVIDAD MALICIOSA | Relacionada con Smoke Loader 13-11-2023", "description": "Smoke Loader es un malware de tipo troyano que se utiliza para propagar otros virus. Los ciberdelincuentes propagan Smoke Loader mediante correos electr\u00f3nicos no deseados (archivos adjuntos maliciosos).\n\nPor lo tanto, normalmente se infiltra en los sistemas sin el consentimiento de los usuarios. Despu\u00e9s de una infiltraci\u00f3n exitosa, el malware realiza una serie de acciones, tales como: 1) autoactualizaci\u00f3n; 2) eliminar todo rastro, y; 3) descargar otros virus.", "modified": "2023-12-13T23:00:37.947000", "created": "2023-11-14T00:05:32.997000", "tags": [ "k0pmbc", "spsfsb", "zwdk9d", "ntmzac", "vwdzfe", "lanrae", "al0b8", "daij8c", "evnhjf", "ekyfhd" ], "references": [ "https://www.pcrisk.com/removal-guides/12968-smoke-loader-trojan", "https://www.virustotal.com/graph/embed/g738c7da9703f4c4abe9ad9d42e377cc5c8bb51aec2f143418345a616628bf407?theme=light", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1073", "name": "DLL Side-Loading", "display_name": "T1073 - DLL Side-Loading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 26, "domain": 16, "FileHash-MD5": 78, "FileHash-SHA256": 53, "hostname": 1, "FileHash-SHA1": 51 }, "indicator_count": 225, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/", "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/", "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign", "https://www.pcrisk.com/removal-guides/12968-smoke-loader-trojan", "https://www.virustotal.com/graph/embed/g738c7da9703f4c4abe9ad9d42e377cc5c8bb51aec2f143418345a616628bf407?theme=light" ], "related": { "alienvault": { "adversary": [ "Unfurling Hemlock" ], "malware_families": [ "Risepro", "Smokeloader", "Redline", "Amadey - s1025", "Mystic stealer" ], "industries": [] }, "other": { "adversary": [ "Unfurling Hemlock" ], "malware_families": [ "Smoke loader - s0226", "Smoke loader" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "66828af454bc977c19ec8c74", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.", "modified": "2024-07-31T10:01:19.789000", "created": "2024-07-01T10:54:44.861000", "tags": [ "redline", "cluster bomb", "smokeloader", "mass distribution", "eastern european", "amadey", "risepro", "stealers", "mystic stealer" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "Unfurling Hemlock", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Mystic Stealer", "display_name": "Mystic Stealer", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Amadey - S1025", "display_name": "Amadey - S1025", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 389, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 14, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386871, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6682c9d5b27be45b5123bbf3", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-31T15:00:10.053000", "created": "2024-07-01T15:23:01.017000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "malware", "steam", "exploit", "Unfurling Hemlock", "RAT" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign" ], "public": 1, "adversary": "Unfurling Hemlock", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sride0842", "id": "285173", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f98d02409e5a41744695c", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-29T05:02:51.005000", "created": "2024-06-29T05:17:04.044000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "URL": 16, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebfe39da5263274c6a226", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:31.415000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebfe5a80d4d68b51a24cd", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:33.067000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667ebff3381ff80ad4943964", "name": "Unfurling Hemlock: Threat group uses cluster bomb campaigns", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:51:47.467000", "tags": [ "wextract", "redline", "amadey", "mystic stealer", "smokeloader", "hemlock", "stealer", "krakenlabs", "risepro", "figure", "virustotal", "enigma", "cluster", "execution", "february", "middle", "malware", "service", "steam", "exploit", "rats" ], "references": [ "https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 3 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "globalsystemperu.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "globalsystemperu.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780400826.6728785 }